[squid-dev] [RFC] "Splicing" bumped requests to resolve\workaround WebSockets issues.

Alex Rousskov rousskov at measurement-factory.com
Sun Jul 17 19:38:43 UTC 2016


On 07/15/2016 04:29 AM, Eliezer Croitoru wrote:
> The issue:
> 
> Clients are issuing secured connections which contains WebSockets
> internally and squid HTTP parsing breaks these connections.

> Another related issue which deserves attention:
> 
> Certificate pinning and connection breakage.
> 
> Currently we cannot determine for many connections what is the "issue",
> is it the bumping itself of the breakage of a WebSocket http connection.



> An acceptable solution:
> 
> Alex mentioned the option to splice a bumped connection.  
> 
> I do not know exactly what Alex meant since not much details were presented.

I do not know exactly what Alex meant either since you provided no
source for that alleged Alex' opinion.


> As I understand, it would not be possible  to do this kind of splice
> without bumping first.

I recommend avoiding "splice after bump" terminology because, in SslBump
context implied by the word "bump", that combination makes no sense: It
is not possible to splice bumped connections.

I suggest using "tunnel after bump" instead. Please note that "tunnel"
(not "splice") is one of the on_unsupported_protocol actions.


HTH,

Alex.



More information about the squid-dev mailing list